A question of utmost concern now confronts all who defend national infrastructure: When the attackers are quicker than your patch window, what is left to protect the core of your operations? China-linked advanced persistent threat (APT) actors’ recent attack against the U.S. National Nuclear Security Administration (NNSA) using a zero-day exploit for Microsoft SharePoint reopened the question of how urgently it must be solved for cybersecurity professionals and policy-makers.
1. The Zero-Day That Opened the Floodgates
The vulnerability at the root of this crisis, CVE-2025-53770, is a deserialization vulnerability in on-premises Microsoft SharePoint Server with a CVSS of 9.8. Microsoft reports that “Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorised attacker to execute code across a network.” Exploited by the now-named “ToolShell” campaign, the bug enabled unauthenticated remote code execution to be spread quickly through unpatched servers. Bitdefender testing confirmed, “This deserialization bug” enables unauthenticated attackers to execute arbitrary code on vulnerable networks, leading to complete system compromise, active, large-scale exploitation of a critical remote code execution (RCE) vulnerability.
2. Lightning-Fast Exploitation: 72 Hours from PoC to Compromise
Attack speed surprised even experienced threat researchers. Carlos Perez, director of security intelligence at TrustedSec, described, “It took only 72 hours from when a proof of concept had been demonstrated before attackers started mass exploitation campaigns.” In fact, Team Cymru telemetry has discovered that “exploitation tends to start within three hours of public release” of exploit code, and with ToolShell, live exploitation was observed before the PoC had even been released to GitHub, evidence of exploitation within Team Cymru’s data holdings prior to public exploit code becoming available. With this condensed timeline, made venerable patch windows something in the past, defenders were once again playing catch-up.
3. Anatomy of the Attack: From Initial Access to Cryptographic Key Theft
Attackers began using a chain of vulnerabilities beginning with CVE-2025-49704 and CVE-2025-49706 that matured into the ToolShell exploit. Attackers began engineering of a crafted POST request to the endpoint, bypassing authentication because of a spoofed Referer header. Once gained, actors compromised the machine by uploading malicious ASP.NET scripts, most notably spinstall0.aspx, to steal the server’s MachineKey settings, specifically DecryptionKey and ValidationKey. According to Bitdefender, “By having the ability to obtain these MachineKey values, attackers can then programmatically construct valid VIEWSTATE payloads from an external source, essentially circumventing authentication and executing arbitrary commands on the SharePoint server, even if the original vulnerability might be patched if the keys are not being rotated” programmatically obtain these sensitive cryptographic keys.
4. The NNSA Breach: Limited Damage or Endless Risk?
The NNSA, the federal agency that is responsible for managing the U.S. nuclear weapons stockpile, was one of the 400+ organisations that were affected. “The department was minimally affected because it uses the Microsoft M365 cloud extensively and has very robust cybersecurity systems,” an agency spokesperson said. “A very small number of systems were affected.” All impacted systems are being rolled back. Nevertheless, security professionals warn that the theft of cryptographic keys enables continued impersonation and remote code execution, even after patching. As Eye Security described, “The breaches could enable hackers to impersonate users or services by stealing cryptographic keys even after software patches.”
5. Scope and Scale: A Global Campaign
The scope of this attack is unprecedented. Eye Security reported, “More than 400 organisations and agencies globally were impacted, including Middle Eastern and European national governments.” Targets included U.S. state agencies and educational groups, energy companies, and international governments. The attackers’ ability to move laterally, escalate privileges, and deploy ransomware tools such as Warlock and Lockbit has been observed in multiple environments, Storm-2603 employing these attacks to deliver ransomware.
6. APT Tradecraft: Linen Typhoon, Violet Typhoon, and Storm-2603
Microsoft also attributed the campaign to three China-nexus APT groups: Linen Typhoon (APT27/Emissary Panda), Violet Typhoon (APT31/Judgement Panda), and Storm-2603. Linen Typhoon has a history of hacking government and defence organisations for intellectual property steals, with Violet Typhoon hacking for espionage against NGOs, think tanks, and media. Storm-2603, though less experienced, has been linked to ransomware deployment and credential harvesting. Microsoft observed, “Threat actors who were able to successfully exploit the authentication bypass and remote code execution vulnerabilities have been observed using a web shell in their post-exploitation payload.”
7. Mitigation: The New Reality of Cloud and Key Management
Microsoft retaliated with “new comprehensive security updates” for each supported version of SharePoint Server, but researchers note patching won’t suffice. This implies that organisations need to regenerate ASP.NET MachineKeys and recycle IIS after patching. Microsoft is warning, “After applying the most recent security updates. Clients need to rotate SharePoint server ASP.NET machine keys and recycle Internet Information Services (IIS) across all SharePoint servers.” Besides, enabling Antimalware Scan Interface (AMSI), Defender for Endpoint deployment, and network segmentation are today’s best practices. Microsoft has released security updates that fully protect customers.
8. Lessons for Defenders: Patch Velocity, Detection, and Resilience
The ToolShell compromise underlines the need for real-time vulnerability management. “Old and busted: ‘Patch Within SLA.’ New paradigm: ‘Patch Now,'” Team Cymru’s Josh Hopkins pointed out. Patches that are even 24 hours are now too slow under compliance. The attack also illustrates the necessity for endpoint detection and response (EDR) capable of identifying fileless, in-memory malware, as some clusters executed entirely in-memory with zero disk artefacts, telemetry and behavioural evidence point to the attacker’s use of in-memory .NET module execution. Proactive incident response, cryptography hygiene, and ongoing monitoring are now essential for any organisation controlling critical infrastructure.
The NNSA and hundreds of other organisations’ breach is not only a warning sign, it’s a playbook for the next generation of state-led cyber operations. The technical capabilities, velocity, and tenacity of these attacks require a new level of alertness and responsiveness from all defenders of critical infrastructure.
